Between 50-75% of computer security incidents originate from within an organization

What can be done to stop them?

Hundreds of billions of dollars annually. That’s the low estimate of worldwide economic damage caused by compromises in information security. Many organizations, citing negative publicity and damaged stock price, are reluctant to disclose any figures at all.

Management ProfessorJohn P. D’Arcy has looked into what can be done to deter employee misuse of technology through such practices as sending inappropriate e-mail, downloading pirated software or gaining unauthorized access to confidential data.

Interestingly, they found that perceived severity of sanctions is more effective than certainty of sanctions. Adding to the mix is evidence that the impact of sanction perceptions varies based on one’s moral sense, perhaps because no matter what the penalty, those with a higher sense of morality find it unpleasant even to be accused of a socially undesirable act. Those with lower moral commitment are more concerned about the penalty they would receive.

The study also suggests that user awareness of acceptable usage guidelines and computer monitoring has some deterrent effect and is achieved indirectly through the perceived certainty and/or severity of sanctions.